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Abstract 


The  purpose  of  this  document  is  to  describe  the  state  of  the  practice  in  information  assurance 
and  security  curriculum  and  certification.  The  scope  is  not  exhaustive,  but  rather  illustrative 
of  the  types  of  activity  occurring  today  within  various  organizations,  including  government, 
universities  and  research  centers,  professional  societies,  and  the  business  community.  Al¬ 
though  individual  courses  are  available,  there  apparently  is  no  systematic  agreement  on  the 
knowledge,  skills,  and  abilities  required  to  formulate  a  curriculum  for  information  security 
professionals  that  enjoys  broad-based  support  across  organizations.  As  a  result  of  Presidential 
Decision  Directive  63  and  the  charge  to  protect  the  nation’s  critical  infrastractures,  the  pres¬ 
sure  is  increasing  to  provide  some  minimum  level  of  competence  for  system  and  network 
administrators  working  in  the  field  of  information  assurance.  Presently,  several  professional 
oiganizations  offer  certified  professional  designations. 

What  is  needed  is  a  comprehensive  framework  for  curriculum  and  certification  in  information 
assurance  and  security.  Currently  the  thrast  for  training  focuses  primarily  on  the  technologies 
of  information  infrastructures.  However,  long-term  solutions  for  the  protection  of  critical  in¬ 
formation  assets  will  require  a  more  comprehensive  approach  in  which  senior  executives  and 
managers,  as  well  as  technical  staff,  develop  strong  and  diverse  skills  that  allow  them  to  ad¬ 
vance  an  organization’s  mission  in  a  dynamic  and  increasingly  hostile  networked  environ¬ 
ment. 
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1  Overview  of  the  Current  Situation 


1.1  Background 

With  the  complexity  of  today’s  software,  hardware,  and  networking  products,  it  is  difficult  to 
properly  configure  systems  and  networks  to  use  the  strongest  security  measures  appropriate 
to  an  organization’s  needs,  even  for  people  with  good  technical  skills  and  training.  Small 
mistakes  can  leave  systems  vulnerable  and  put  information  assets  suddenly  at  risk.  Long-term 
solutions  for  the  protection  of  critical  information  assets  will  require  fundamental  changes  in 
the  architecture  of  computer  systems  as  well  as  changes  in  the  way  technology  is  developed, 
deployed,  and  sustained.  System  and  network  operators  need  strong  and  diverse  skills  that 
allow  them  to  work  successfully  in  a  dynamic  and  increasingly  hostile  networked  environ¬ 
ment. 


1.2  The  Problem 

Currently,  training  for  system  and  network  administrators,  their  managers,  and  users  insuffi¬ 
ciently  addresses  requisite  knowledge,  skills,  and  abilities.  While  there  are  hundreds  of 
training  courses  available,  there  is  no  clear  and  systematic  path  for  identifying  the  kind  of 
training  that  will  result  in  the  right  learning  in  relation  to  a  particular  job  or  set  of  job  task 
requirements.  Additionally,  the  technology  changes  rapidly,  resulting  in  the  need  for  contin¬ 
ued  updating  of  skills.  Consequently,  course  content  is  dynamic  as  well.  Thus,  any  systematic 
effort  to  train  and  certify  system  and  network  administrators  must  account  for  changing  tech¬ 
nical  requirements  and  course  content.  Even  more  problematic  is  the  lack  of  a  comprehensive 
body  of  knowledge  that  can  be  used  to  develop  information  assurance  and  security’  curricula 
and  to  define  the  competencies  and  requirements  for  a  workforce. 

Furthermore,  if  the  goal  is  to  improve  the  security  posture  of  U.S.  critical  infrastructures,  then 
providing  training  to  information  technology  security  specialists  and  professionals  addresses 
only  the  technical  portion  of  the  problem.  Senior  management  must  provide  to  those  techni¬ 
cal  staff  responsible  for  the  secure  administration  of  networked  systems  a  clear  sense  of  pri¬ 
ority  levels  and  appropriate  policies,  as  well  as  risk-mitigation  strategies,  for  securing  various 
information  assets.  First-line  managers  of  technical  staff  must  be  able  to  articulate  the  techni¬ 
cal  implications  of  these  decisions  so  that  cost-benefit  tradeoffs  can  be  evaluated.  Thus,  long¬ 
term  solutions  for  the  protection  of  critical  information  assets  will  require  that  senior  execu¬ 
tives  and  managers,  as  well  as  technical  staff,  develop  strong  and  diverse  skills. 
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1 .3  Current  Approaches 

The  U.S.  government  has  started  to  address  the  information  assurance  problem  for  the  federal 
sector  by  suggesting  a  federal  government-wide  strategy,  as  evidenced  in  Presidential  Deci¬ 
sion  Directive  63  (PDD  63) .  A  possible  approach  to  the  information  assurance  curriculum 
and  certification  portion  of  the  problem  could  utilize  the  Information  Technology  Security 
Training  Requirements:  A  Role-  and  Performance-Based  Model,  described  in  the  NIST  SP 
800-16  document  [Wilson  98].  This  document  outlines  an  information  technology  security 
body  of  knowledge,  topics,  and  concepts.  It  could  also  provide  a  framework  that  could  be 
used  as  the  basis  for  a  collaborative  cross-agency  effort.  Also,  areas  within  the  Department  of 
Defense  are  addressing  the  need  to  train  information  security  specialists  and  to  provide  a  ca¬ 
reer  path  for  these  professionals. 

Clearly,  the  need  exists  for  a  comprehensive  curriculum  in  information  assurance  and  secu¬ 
rity,  and  for  a  systematic,  efficient  solution  to  the  problem  for  both  the  private  and  public 
sectors. 

One  traditional  approach  to  solving  this  problem  is  to  identify  training  and  educational  insti¬ 
tutions  that  provide  courses  on  topics  described  in  the  NIST  SP  800-16.  A  course-certifying 
body  might  evaluate  the  appropriateness  of  courses  or  course-module  content  and  provide 
efficient  methods  of  course  delivery  and  learning  evaluation  (e.g.,  tests  of  knowledge  for 
material  covered  in  courses  as  they  relate  to  job-specific  security  practices).  In  addition, 
evaluation  criteria  should  be  established  so  that  training  and  education  actually  result  in 
measurable  improvements  in  security  practices  for  all  staff. 

Another  traditional  approach  is  a  program  of  professional  certification,  usually  developed  and 
administered  by  a  professional  association  (such  as  the  Information  Systems  Audit  and  Con¬ 
trol  Association).  Currently,  two  kinds  of  certification  exist  in  the  field  of  information  secu¬ 
rity:  a  broad-based,  job-independent  examination,  such  as  the  Certified  Information  System 
Security  Professional  (CISSIP)  exam,  and  platform,  tool,  and  technology-specific  exams, 
such  as  those  provided  by  Microsoft. 

1 .4  The  Gap 

Both  traditional  approaches  currently  exist,  yet  together  they  are  insufficient  to  address  the 
urgent  and  complex  learning  requirements  engendered  by  the  problem.  What  is  needed  is  a 
way  to  ensure  that  knowledge,  skills,  and  abilities  are  specifically  and  appropriately  devel¬ 
oped  so  that,  over  time,  information  assets  are  appropriately  and  effectively  protected  [Pro¬ 
ceedings  98]. 

1 .5  Proposed  Framework 

Knowledge  and  skills  can  be  mastered  in  many  ways.  What  the  newly  emerging  field  of  in¬ 
formation  assurance  and  security  lacks  are  two  key  elements. 
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First,  a  body  of  knowledge,  specific  to  job  tasks  and  responsibilities  at  all  levels,  should  be 
described.  Because  the  problem  of  information  asset  protection  is  growing  and  changing, 
some  information  that  is  now  current  will  change  or  degrade  over  time.  For  example,  it  is 
important  to  understand  how  to  configure  and  protect  mail  servers,  domain  name  servers,  and 
Web  servers.  However,  the  tools  and  practices  required  to  accomplish  this  will  change  as  the 
technologies  and  threats  change.  Another  example  involves  the  ways  in  which  senior  manag¬ 
ers  understand,  evaluate,  and  mitigate  exposure  and  threats  to  key  assets  as  e-commerce 
flourishes.  Therefore,  part  of  this  description  should  be  an  approach  to  evaluating  the  cur¬ 
rency  of  the  defined  body  of  knowledge,  and  updating  important  information  when  required. 

Second,  a  broader  approach  to  job-specific  certification  should  be  established.  Certification 
activities  must  measure  both  the  knowledge  of  key  subject  matter  as  well  as  the  ability  to  ap¬ 
ply  that  information  to  job  tasks.  Certification  approaches  usually  differ  by  type  of  job  re¬ 
sponsibility.  For  example,  senior  managers  should  know  about  auditing,  legal  issues,  manag¬ 
ing  security  risk,  policy  development,  and  e-commerce.  Their  certification  might  entail 
successfully  participating  in  an  intensive  seminar  with  management  simulations  that  evaluate 
a  person’s  ability  to  perform  key  management  tasks.  System  and  network  administrator  certi¬ 
fication  might  require  knowledge  of  concepts  such  as  those  described  in  NIST  SP800-16,  and 
could  measure  such  knowledge  with  a  certification  examination  based  on  performance  crite¬ 
ria  set  forth  in  the  body  of  knowledge.  Administrators  could  also  demonstrate  competence  in 
specific  practices  at  a  hands-on  training  laboratory.  Changes  in  technologies,  staffing  re¬ 
quirements,  and  fundamental  skill  requirements  for  various  jobs  might  ftirther  require  a  re¬ 
newal  of  certification  through  continuing  education  and  re-testing  of  practice  competence  at  a 
hands-on  training  laboratory. 

In  order  to  secure  the  information  assets  for  national  critical  infrastructures,  a  comprehensive 
approach  to  addressing  the  security  training  and  education  issue  might  include  the  following: 

•  a  framework  that  provides  a  usable  structure  for  the  identification,  specification, 
development,  and  description  of  an  overarching  “body  of  knowledge”  for  the  field  of 
information  assurance  and  security 

•  knowledge  requirements  for  various  job  categories,  including  information  and  practices 
that  are  likely  to  change  over  time  (i.e.,  the  appropriate  “body  of  knowledge”  that  should 
be  acquired  by  staff  with  differing  responsibilities) 

•  curriculum  tracks  for  all  job  categories  to  ensure  that  staff  receive  important,  relevant, 
and  timely  information 

•  coUaboration  partnerships  between  job-testing  experts  and  institutes  involved  in 
information  assurance  and  security  to  develop  an  effective  approach  to  performance- 
based  evaluation  for  individual  certification 

•  a  mechanism  or  process  for  providing  unique  information  to  course  developers  and 
training  organizations  who  will  work  with  the  federal  government  and  private  sector 
organizations  to  assist  staff  in  acquiring  the  requisite  knowledge,  skills,  and  abilities 


CMU/SEI-99-TR-021 


3 


•  simulation  laboratories  that  can  be  used  to  both  train  and  assess  a  person’s  ability  to 
perform  secure  practices  at  several  levels  of  job  responsibility 

•  collaboration  among  academic  institutions,  the  federal  government,  and  the  business 
community  to  advance  information  assurance  and  security  education  and  research 

Currently  the  focus  of  information  assurance  and  security  curricula  is  on  technical  areas. 
However,  long-term  solutions  for  the  protection  of  critical  information  assets  will  require 
senior  executives  and  managers  as  well  as  technical  staff  to  develop  strong  and  diverse  skills 
that  allow  them  to  advance  an  organization’s  mission  in  a  dynamic  and  increasingly  hostile 
networked  environment. 

Section  2  of  this  document  describes  the  current  activity  in  information  assurance  and  secu¬ 
rity  curriculum  and  certification.  The  scope  is  not  exhaustive,  but  rather  illustrative  of  the 
types  of  activity  occurring  today  within  various  organizations,  including  government,  univer¬ 
sities  and  research  centers,  professional  societies,  and  the  business  community.  Section  3  of 
this  document  focuses  on  current  efforts  to  provide  a  certified  professional  designation  for 
system  administrators  and  general  security  practitioners. 
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2  Current  Activity  in  Curricuium  and 
Certification 


Pockets  of  activity  exist  within  the  government,  universities  and  research  centers,  profes¬ 
sional  societies,  and  the  business  community  related  to  information  assurance  and  security. 
This  activity  includes  courses,  conferences,  and  certification  of  individuals  for  technical 
products.  However,  there  apparently  is  no  systematic  agreement  on  the  knowledge,  skills,  and 
abilities  required  to  formulate  a  curriculum  for  information  assurance  and  security  profes¬ 
sionals  that  enjoys  broad-based  support  across  organizations.  Several  universities  have  re¬ 
search  centers  and  undergraduate  and  graduate  programs  in  information  assurance  and  secu¬ 
rity  and  related  areas.  However,  the  majority  of  technical  training  activity  occurs  within  the 
vendor  community  where  the  emphasis  is  on  certifying  system  administrators  for  products. 


2.1  Government  Sector 

As  a  result  of  Presidential  Decision  Directive  63  and  the  charge  to  protect  the  nation’s  critical 
infrastructures,  the  pressure  is  increasing  to  provide  some  minimum  level  of  competence  for 
system  and  network  administrators  working  in  the  field  of  information  assurance.  The  Criti¬ 
cal  Infirastructure  Assurance  Office  (CIAO)  designated  the  Department  of  Commerce  as  re¬ 
sponsible  for  the  Coordinating  Committees  for  Personnel  and  Training  and  for  Education  and 
Awareness.  The  Informational  Seminar  on  PDD  63,  sponsored  by  the  General  Services  Ad¬ 
ministration  (GSA)  and  the  CIO  Council  Security  Committee,  identified  improving  system 
administrators'  skills  as  an  important  area  for  addressing  the  lack  of  security  and  technical 
knowledge  that  will  emerge  from  PDD  63  vulnerability  assessments.  ^ 

Many  initiatives  have  emerged  as  attempts  to  address  the  problem.  Representative  efforts  that 
illustrate  the  broad  scope  of  federal  government  sector  organizations  involved  in  information 
assurance  and  security  education  and  training  include  the  National  Infrastructure  Protection 
Center,  which  has  an  initiative  to  provide  to  its  members  a  forum  for  education  and  training 
on  infrastructure  vulnerabilities  and  protection  measures.^  The  National  Institute  of  Standards 
and  Technology  (NIST)  has  identified  the  requirements  for  computer  security  training  for 
federal  information-technology  personnel,  based  on  job  functions  [l^lson  98].  One  of  the 
National  Security  Agency's  initiatives  is  the  National  INFOSEC  Education  &  Training  Pro¬ 
gram  that  has  established  the  Information  Assurance  Courseware  Evaluation  Process.  The 
process  is  intended  to  assess  the  degree  to  which  the  various  institution,  college,  and  univer¬ 
sity  curricula  satisfy  the  NSTISSI  standards."*  The  Federal  Information  Systems  Security 
Educators’  Association  (FISSEA)  at  its  1999  conference  had  presentations  dealing  with  cur¬ 
riculum  and  certification  issues.* 
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Various  agencies  provide  information  assurance  and  security  curricula  to  their  constituents. 
For  example,  the  Defense  Information  Systems  Agency  (DISA)  provides  INFOSEC  training 
for  information  system  security  officers  and  managers.*  The  SPAWAR  INFOSEC  Office  has 
a  series  of  recommended  information  systems  security  courses  for  Navy  personnel.’  The  De¬ 
fense  Security  Institute  provides  consolidated  training  within  the  Department  of  Defense 
(DoD)  for  security  professionals  working  both  within  DoD  and  the  DoD  contractor  commu¬ 
nity.® 

2.2  Professional  Organizations 

Professional  organizations  are  involved  with  setting  standards  and  offering  continuing  educa¬ 
tion  activities  such  as  conferences  and  courses  for  their  members. 

The  International  Federation  of  Information  Processing  (IFIP)  has  issued  a  statement  on  in¬ 
formation  security  assessment  and  certification  as  part  of  an  effort  to  establish  international 
certification  standards  for  individuals  assessing  IT  systems  and  the  information  security  man¬ 
agement  of  those  systems.®  IFIP  held  the  First  World  Conference  on  Information  Security 
Education  in  Stockholm  in  June  1999.*“ 

The  Information  Systems  Audit  and  Control  Association  (ISACA)  provides  the  Certified  In¬ 
formation  Systems  Auditor  Program.  The  American  Society  of  Industrial  Security  (ASIS) 
provides  certification  for  general  security  management  [see  Sections  3.2  and  3.4].  USENDC 
System  Administrator’s  Guild  (SAGE)  has  a  certification  subcommittee  currently  studying 
certification  for  system  administrators  [see  Section  3.5]. 

Some  professional  organizations  such  as  the  Association  for  Computing  Machinery  (ACM) 
and  the  Institute  of  Electrical  and  Electronics  Engineers  (IEEE)  have  relationships  established 
with  organizations  that  are  involved  with  accreditation  of  higher-education  computer  science 
and  engineering  programs.  However,  accreditation  does  not  get  to  the  level  of  granularity  that 
includes  requirements  for  information  security  curricula.*' 

Other  professional  organizations  are  not  currently  involved  with  setting  standards  and  focus 
on  offering  courses  and  conferences  to  their  members  as  part  of  a  continuing  professional 
development  effort.  For  example,  the  Information  Systems  Security  Association  (ISSA)  pro¬ 
vides  continuing  technical  education  forums  and  conferences,  such  as  the  Open  Systems  Se¬ 
curity  99  and  ISSA  Annual  Conference.*’ 

Table  1  lists  professional  organizations  involved  in  continuing  professional  education  rele¬ 
vant  to  developing  professional  skills  in  the  areas  of  information  assurance  and  security.  Ta¬ 
ble  I  also  lists  the  organizations  that  are  currently  involved  in  certification  or  have  initiatives 
to  study  the  issue.  More  detail  on  the  certification  process  offered  by  four  of  these  organiza¬ 
tions  is  provided  in  Section  3  of  this  document. 
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Organization  Membership  Target  Certification  of  Sponsors 

Population  Individuals  Activities 


Association  for  Com-  IT  professionals;  SIG-  Currently  study-  Yes 

puting  Machinery  Security,  Audit,  Con-  ing 

(ACM)  trol 

American  Society  for  Industrial  security  Yes  Yes 

Industrial  Security  management  profes- 

(ASIS)  sionals 

Federal  Information  Federal  information  Currently  study-  Yes 

Systems  Security  systems  security  edu-  ing 

Educators’  Associa-  cators 

tion  (FISSEA) 

Institute  of  Electrical  Electrical  and  elec-  Currently  study-  Yes 

and  Electronics  Engi-  tronic  engineers  in  ing 

neers,  Inc.-domputer  lEEE-CS 

Society  (lEEE-CS) 

International  Federa-  IT  professionals  Currently  study-  Yes 

tion  for  Information  ing 

Processing  (IFIP) 

Information  Systems  Audit,  control,  and  se-  Yes  Yes 

Audit  and  Control  curity  professionals 

Association  (ISACA) 

International  Informa-  Information  security  Yes 

tion  Systems  Security  professionals 

Certification  Consor¬ 
tium  (ISC)^ 

Information  Systems  Information  security  Yes 

Security  Association  professionals 

(ISSA) 

National  Classifica-  Information/computer  Yes 

tion  Management  security  professionals 
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Society 

National  Security  In¬ 
stitute 

Security  professionals 

Yes 

USENDC  System  Ad¬ 
ministrator’s  Guild 

(SAGE) 

System  administrators 

Currently  study¬ 
ing 

Yes 

SANS  Institute 

System  and  network 
security  administrators 

Yes 

Table  1:  Professional  Organizations  Involved  in  Professional  Education  and 
Certification 

2.3  University  and  Research  Centers 

Several  universities  offer  graduate  and  undergraduate  programs  in  information  assurance  and 
security  and  related  areas,  and  have  research  centers  associated  with  them.  The  Center  for 
Research  in  Information  Assurance  and  Security  (CERIAS)  at  Purdue  University  provides 
“innovation  and  leadership  in  technology  for  the  protection  of  information  and  information 
resources,  and  in  the  development  and  enhancement  of  expertise  in  information  assurance 
and  security.”’^  James  Madison  University  (JMU)  has  the  Center  for  Research  in  Information 
Systems  Security  Education.*'*  JMU  also  sponsors  the  National  Colloquium  for  Information 
Systems  Security  Education  for  professionals  in  business  and  industry,  academia,  and  gov¬ 
ernment.*^ 

The  Center  for  Secure  Information  Systems  (CSIS)  at  George  Mason  University  offers  a 
Graduate  Certificate  Program  in  Information  Systems  Security  and  also  sponsors  workshops, 
tutorials,  and  conferences.*®  The  University  of  California,  Davis  has  the  Computer  Security 
Laboratory  and  is  involved  in  technical  research.”  'The  Department  of  Computer  Science  at 
the  University  of  Idaho  offers  an  undergraduate  degree  in  Computer  Security  and  degrees  in 
Network  System  Security  and  Trusted  Systems  at  the  master’s  and  doctorate  levels.*® 

The  H.  John  Heinz  HI  School  of  Public  Policy  and  Management  at  Carnegie  Mellon  Univer¬ 
sity  offers  a  Certificate  in  Information  Security  Management  and  a  Master  of  Information 
Systems  for  Public  Policy  and  Management  with  a  concentration  in  Information  Security 
Management.*®  The  CERT®  Coordination  Center*  at  Carnegie  Mellon’s  Software  Engineer¬ 
ing  Institute  offers  courses  in  incident  response  and  information  security.^ 

The  Information  Operations  Department  of  the  National  Defense  University  provides  in¬ 
struction  on  information  assurance  and  information  operations  for  students  in  the  National  . 


’  CERT  and  CERT  Coordination  Center  are  registered  in  the  U.S.  Patent  and  Trademark  Office. 
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War  College  and  the  Industrial  College  of  the  Armed  Forces.^'  The  Naval  Postgraduate 
School  operates  the  Center  for  INFOSEC  Studies  and  Research. 

Table  2  lists  some  of  the  university  and  research  centers  conducting  courses  and  research  in 
information  assurance  that  are  most  frequently  referenced  in  Web  site  links  relating  to  com¬ 
puter  security. 


Universities  and  Research  Centers 


Carnegie  Mellon  University,  H.  John  Heinz  III  School  of  Public  Policy  and  Management,  CERT® 
Coordination  Center 

George  Mason  University,  Center  for  Secure  Information  Systems 
George  Washington  University,  Cyberspace  Policy  Institute 
Idaho  State  University 

James  Madison  University,  Center  for  Research  in  Information  Systems  Security  Education 
Lawrence  Livermore  National  Laboratory,  Computer  Security  Technology  Center 
Massachusetts  Institute  of  Technology 
National  Defense  University 

Naval  Postgraduate  School,  Center  for  INFOSEC  Studies  and  Research 
Princeton  University,  Secure  Internet  Programming  Group 

Purdue  University,  Center  for  Education  and  Research  in  Information  Assurance  and  Security 
University  of  California,  Berkeley 

University  of  California,  Davis,  Computer  Security  Laboratory 
University  of  Idaho 

Table  2:  University  and  Research  Centers  Conducting  Courses  and  Research  in 
Information  Assurance 


CMU/SEI-99-TR-021 


9 


2.4  Business  Community 

The  majority  of  the  technical  training  for  system  and  network  administrators  and  other  pro¬ 
fessionals  in  information  security  occurs  in  the  private  sector  and  is  provided  by  software 
vendors  that  certify  individuals  in  their  various  products  [Martinez  99],  Some  vendors,  such 
as  Cisco  Systems,  have  curriculum  tracks  that  cluster  technology  specializations  and  provide 
certification  designations,  such  as  “Cisco  Certified  Network  Professional”  with  a  specializa¬ 
tion  in  security.^ 


Table  3  lists  some  companies  currently  offering  or  involved  in  technical  training  that  includes 
information  security  subject  matter. 


Company 

Certification  Offered  in  Specific  Products  | 

AXENT  Technologies,  Inc. 

AXENT  security  product  training 

Ciscp  Systems 

Cisco  Certified  Network  Professional-Security 
Specialization 

Check  Point  Software  Technologies,  Ltd. 

Check  Point  Certified  Security  Administrator; 
Check  Point  Certified  Security  Engineer 

Computer  Security  Institute 

Information  security  seminars  and  on-site 
training 

IBM 

Tivoli  Systems 

Global  Security  Laboratory 

Certified  Solutions  Expert-Firewall; 

Certified  Consultant-Security  Management 

Internet  Systems  Security 

ISS  Certified  Engineer 

Learning  Tree  International 

System  and  Network  Security  Certified  Profes¬ 
sional 

McAfee  Software  (Network  Associates) 

McAfee  Certified  Anti- Virus  Administrator 

Microsoft 

Microsoft  Certified  Professional  +  Internet 

Mitretek 

Information  Security  Engineer 

Network  Associates,  Inc. 

Certified  Network  Expert 

NetSpecialist 
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Open  Group  Security  Training  Alliance 

Courses  target  CIOs,  IT  managers 

Prosoft  Training.com 

Certified  Internet  Webmaster-Security 
Professional; 

Certified  UNIX  Administrator 

Sequent 

Sequent  Certified  System  Administrator 

Sun  Microsystems,  Inc. 

Sun  Certified  System  Administrator; 

Sun  Certified  Network  Administrator 

Symantec 

Certified  Norton  AntiVirus  Consultant 

USWeb  Learning,  Inc. 

HyCurve  Security  Specialist 

XOR 

Courses  in  UNIX  System  Administration  and 
Cisco  Router  administration 

Table  3:  Companies  Involved  in  Technical  Training 
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3  Description  of  Certified  Professionai 
Designations 


Four  professional  societies  currently  offer  certification  for  system  administrators  or  general 
security  practitioners.  (ISC)^  offers  the  designation  of  Certified  Information  System  Security 
Professional  (CISSP).  The  Information  Systems  Audit  and  Control  Association  (ISACA)  pro¬ 
vides  the  Certified  Information  Systems  Auditor  (CISA)  certification.  The  Institute  for  Certi¬ 
fication  of  Computer  Professionals  (ICCP)  offers  the  Certified  Computing  Professional  cre¬ 
dential  for  a  number  of  subject  areas  including  system  security.  The  American  Society  of 
Industrial  Security  (ASIS)  offers  generalist  certification  in  security  management.  USENIX 
System  Administrator’s  Guild  (SAGE)  is  examining  the  issue  of  certification  for  generalist 
knowledge  of  system  administrators. 

3.1  Certified  Information  System  Security 
Professionai  (CISSP) 

The  Certified  Information  System  Security  Professional  (CISSP)  is  a  designation  provided  by 
(ISC)^  to  a  person  who  has  three  years  of  work  related  to  information  systems  security,  per¬ 
formed  as  a  practitioner,  auditor,  consultant,  vendor,  investigator,  or  instructor,  and  who  has 
successfully  passed  an  exam  and  supports  a  code  of  ethics.  An  eight-day  review  seminar  for 
the  exam  is  available.  Exam  topics  include  policy,  standards,  legal  issues,  risk  management 
and  business  continuity  planning,  computer  architecture  and  system  security,  access  control, 
cryptography,  physical  security,  operations  security,  application  security,  and  communications 
security.  Re-certification  is  granted  every  three  years  after  an  individual  earns  120  continuing 
education  credits,  which  can  be  earned  through  activities  such  as  courses,  conference  atten¬ 
dance,  publications,  and  service  on  professional  security  boards.^  As  of  early  1998  1,500 
individuals  held  the  CISSP  designation.^ 

3.2  Certified  Information  Systems  Auditor  (CISA) 

The  Information  Systems  Audit  and  Control  Association  (ISACA)  provides  the  Certified  In¬ 
formation  Systems  Auditor  (CISA)  certification  to  individuals  with  five  years  of  experience 
in  information  systems  audit,  control,  and  security  (some  academic  work  may  be  substituted 
for  experience),  who  successfully  pass  an  exam,  and  who  support  a  code  of  ethics.  Review 
courses  and  reference  materials  are  available.  The  exam  is  based  on  job  analysis  of  tasks  per¬ 
formed  by  information  systems  audit,  control,  and  security  professionals.  Topics  on  informa¬ 
tion  systems  include  audit  standards  and  practices,  organization/management,  process,  integ¬ 
rity/confidentiality/availability,  and  development/acquisition/maintenance.  Re-certification  is 
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granted  every  three  years  after  a  person  earns  120  continuing  education  credits.  In  1998  ap¬ 
proximately  4,300  professionals  took  the  exam  and  54%  passed.^* 

3.3  Certified  Computing  Professionai  (CCP) 

The  Institute  for  Certification  of  Computer  Professionals  offers  the  designation  of  Certified 
Computing  Professional  (CCP)  to  computer  professionals  who  have  four  years  of  experience 
(or  two  years  of  experience  plus  a  bachelor’s  degree  in  a  related  field)  and  pass  a  core  exam 
and  two  specialty  exams.  The  core  examination  covers  general  knowledge  on  information 
systems  and  technology.  The  specialty  exam  in  information  security  includes  testing  on  risk 
assessment,  recovery,  security,  system  design,  and  security  management.  Re-certification  re¬ 
quires  120  hours  of  educational  and  professional  activities.  Currently  about  50,000  people 
hold  CCPs,  some  of  whom  may  have  taken  the  specialty  exam  in  systems  security.^ 

3.4  Certified  Protection  Professionai  (CPP) 

The  American  Society  of  Industrial  Security  (ASIS)  offers  generalist  certification  as  a  Certi¬ 
fied  Protection  Professional  (CPP)  in  security  management  to  individuals  who  have  nine 
years  of  experience  in  general  security  management  (this  may  include  academic  credits)  and 
who  successfully  pass  an  exam.  The  items  on  the  exam  are  based  on  a  job  analysis  of  the 
functions  required  for  effective  performance  of  security  management.  Topics  include  emer¬ 
gency  management,  investigations,  legal  aspects,  personnel  security,  physical  security,  pro¬ 
tection  of  sensitive  information,  and  security  management.  The  target  membership  of  ASIS,  a 
professional  organization,  is  professionals  responsible  for  security,  including  managers  and 
directors  of  security,  corporate  executives,  and  other  management  personnel,  as  well  as  peo¬ 
ple  in  related  areas  such  as  attorneys,  architects,  and  law  enforcement  officials.  The  ASIS 
Standing  Committee  on  Computer  Security  targets  general  security  managers  and  not  system 
administrators.  ASIS  International  has  30,000  members;  4,000  people  currently  hold  the  CPP 
designation.^* 

3.5  USENIX  System  Administrator’s  Guiid  (SAGE) 

USENIX  System  Administrator’s  Guild  (SAGE)  is  studying  the  issues  of  certification  and 
continuing  education.  SAGE’s  efforts  to  establish  standards  of  practice  include  a  competency 
checklist,  the  purpose  of  which  is  to  begin  developing  a  taxonomy  of  system  administration 
skills  and  competency  domains  of  knowledge  [Kuncicky  98].  The  SAGE  Certification  Sub¬ 
committee  currently  has  a  project  scheduled  for  completion  by  the  end  of  1999  to  develop 
skill  requirements  and  evaluate  testing  methodologies  and  implementation  logistics.  SAGE 
will  then  decide  whether  it  will  manage  a  certification  program.^’ 

The  requirements  of  the  four  certification  programs  of  (ISC)^  ISACA,  ICCP,  and  ASIS  are 
compared  in  Table  4. 


14 


CMU/SEI-99-TR-021 


Certification  Designation 

Organization 

Experience  Required  (years) 

Code  of  Ethics 

Exam 

Review  Courses 

Re-certification 
(period;  requirements) 

Number  Taking  Exam 
in  1998 

Number  of 

Current  Holders 

CISSP 

asc)^ 

3 

Yes 

Yes 

8-day  review 
optional 

Every  3 
years; 

exam  or 

120CEUS 

N/A 

1,500 

CISA 

ISACA 

1 

Yes 

Yes 

Courses  and 

materials 

available 

3  years; 
120CEUS 

4,300;  54% 
passed 

N/A 

CCP 

ICCP 

4* 

Yes 

Yes 

Courses  and 
materials 

available 

3  years; 
120CEUS 

N/A 

50,000 

CPP 

ASIS 

9* 

Yes 

Yes 

Courses  and 

materials 

available 

3  years; 
18CEUS 
plus  other 

N/A 

4,000 

♦Some  academic  work  may  be  substituted  for  experience. 


Table  4:  Comparison  of  Certification  Designations 
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4  Summary 


There  apparently  is  no  systematic  agreement  on  the  knowledge,  skills,  and  abilities  required 
to  formulate  a  comprehensive  curriculum  for  information  assurance  and  security  that  enjoys 
broad-based  support  across  organizations.  Presently,  the  majority  of  technical  training 
activity  occurs  within  the  vendor  community  where  the  emphasis  is  on  certifying 
system  administrators  for  products.  There  also  is  no  certification  infrastructure  in 
place  that  enjoys  broad-based  support  across  organizations.  Several  professional  or¬ 
ganizations  currently  have  certification  programs.  Some  involve  only  testing,  while 
others  also  provide  access  to  courses  within  a  prescribed  curriculum.  In  the  academic 
community,  a  growing  number  of  universities  have  undergraduate  and  graduate  pro¬ 
grams  and  research  centers  in  information  assurance  and  security.  The  federal  gov¬ 
ernment  makes  courses  in  information  assurance  and  security  available  to  its  con¬ 
stituents. 

What  is  needed  is  a  comprehensive  framework  for  curriculum  and  certification  in  in¬ 
formation  assurance  and  security  that  addresses  the  management  challenges  as  well 
as  the  technical  challenges  of  protecting  the  nation’s  critical  infrastructures.  Current 
activity  focuses  primarily  on  the  technologies  of  information  infrastructures.  How¬ 
ever,  long-term  solutions  for  the  protection  of  critical  information  assets  will  require  a 
more  comprehensive  approach  in  which  senior  executives  and  managers,  as  well  as 
technical  staffs,  develop  strong  and  diverse  skills  that  allow  them  to  advance  an  or¬ 
ganization’s  mission  in  a  dynamic  and  increasingly  hostile  networked  environment. 
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Endnotes 


^  For  definitions  of  “information  assurance”  and  “information  systems  security”  as  used  in  this  docu¬ 
ment,  see  National  Information  Systems  Security  (INFOSEC)  Glossary,  NSTISSI  No.  4009,  National 
Security  Telecommunications  and  Information  Systems  Security  Committee,  August  1997,  p.2L 

^  Mark  Boster,  “CIO  Council  Security  Committee  and  FDD  63,”  Oct.  13, 1998,  Washington,  DC. 
http://www.ciao.  gov/seminar 1998 101 3 .html 

^  httD://www.niDc.gov/nipc/niDC.htm 

^http://www.nsa.eov:8080/isso/programs/nietp/corseval.htm 

^  The  1999  12**'  Annual  FISSEA  Conference,  “Paradigm  Shifts  for  Teaching  Computer  Security  in  the 
New  Millennium,”  included  two  presentations  specifically  dealing  with  curriculum  and  certification 
issues.  They  were  “Assembling  a  Curriulum  for  Various  Security  Disciplines,”  (Jane  Powanda,  Mitre- 
tek)  and  “Professionalization:  Becoming  a  CISS”  (Wayne  Madsen,  senior  fellow,  Electronic  Privacy 
Information  Center).  http://csrc.nist.gov/organizations/fissea/99Fissea.html 

^  http://www.disa.mil/infosec/itfcour.html 

^  http://infosec.nosc.mil/TRAINING/training2.html 

^  http://www.d$s.mil/training/ 

^  http://www.ifip.tu-graz.ac.at/TCl  1/TCl  l.crvpto/certification.html 
http://www.dsv.su.se/WISE  l/index2.html 

“  The  Computer  Science  Accreditation  Board  (CSAB)  accredits  post-secondary  baccalaureate  pro¬ 
grams  in  computer  science  and  the  Accreditation  Board  for  Engineering  and  Technology  (ABET)  ac¬ 
credits  engineering  technology  programs  for  higher  education  through  ABET.  CSAB  and  ABET  have 
made  preliminary  agreements  to  merge  and  to  accredit  software  engineering  programs. 

http://www.issa-intl.org/mis99.html 

http://www.cs.purdue.edu/coast/cerias/about.html 

http://www.infosec.imu.edu 

http://www.infosec.)mu.edu/ncisse/ 

http://www.isse.gmu.edu/-csis/index.html 

http://seclab.cs.ucdavis.edu/ 

http://www.cs.uidaho.edu/ 

http://www.cmu.edu 
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http://www.cert.org 

http://www.ndu.edu/irmc/ 

httD://cisr.nps.navv.mil/ 

http://www.cisco.com/warp/public/10/wwtraininjg/certprog/special/course.html 

^  http://www.isc2.org 

^  httD://www.infosecnews.com/scmagazine/1998  04/lastword/lastword.html 
httD://www.isaca.org 
http://www.iccp.org 
http://www.asisonline.org 
httD://www.usenix.org/sage/cert/certiFication.html 
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